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The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 1 1 July 2005 . 
2a)E3 This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1 and 23-29 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1 and 23-29 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)Q objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121 (d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 0 Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received^ 
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DETAILED ACTION 

1. Claims land 23-29 have been examined and are pending. 
Claims 2-22 have been canceled. 

Claims 23-29 are newly added. 

Response to Amendment 

2. Applicant's amendment filed 7/1 1/2005 necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

3. Claims 1 and 23-29 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

The examiner request applicant to further explain the nature of the claimed invention 
with respect to the acronyms used (PP, ST, TOE in relation to each other). However, if applicant 
believes that an interview with the examiner would be more helpful and expedite prosecution of 
this application, the examiner invites applicant to call for a personal or telephone interview at the 
number listed below. 

Claim 1 recites "the registered PPs or STs local PPs" in line 21. There is insufficient 
antecedent basis for "the registered . . . STs local PP" in the claim. 
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Claim 28 recites the limitation "the partial database" and "the case database" in lines 4 
and 5 respectively. There is insufficient antecedent basis for these limitations in the claim. 

Dependent claims 23-27 and 29 inherit the 35 U.S.C. 1 12 issues of the independent claim 
1 and may not be further considered on their individual merits. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 1, 23, and 28-29 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
prior art of record, Richard Baskerville, ACM Computing Surveys, December 1993 and further 
in view of US patent No. 5, 850,5 16 to Schneier. 

As per claim 1, Baskerville discloses a security system design supporting method 
implemented in a security system design supporting tool including a processor which conducts 
processings on data stored in memory, for supporting designing of security requirements or 
security specifications based on an international security evaluation criteria during 
planning/designing of an information-related product or an information system, said method 
comprising the steps of (Baskerville, page 394, section 2.3, computer-Based Mechanistic 
Engineering methods): 

providing, in the memory, a template case database for storing protection profiles (PPs) 
that have been internationally registered or PPs or STs (security targets) (Baskerville, page 395, 
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CRAMM software, stage 3, wherein the existing system countermeasures (controls) are 
entered in the CRAMM software, based on asset groups, risk levels, existing controls (i.e. 
PPs that have been generated and that have not been registered) and an internal database 
of 900 possible countermeasures (i.e., PPs that have been internationally registered)) , and 

that have been generated and that have not been internationally registered, in a class-tree 
structure based on an inheritance relation between types of products or systems as a target of 
evaluation (TOE) of said PPs or STs . 

specifying, to the processor, the PPs or STs related to the TOE by designating elements 
included in the products or systems, type and evaluation assurance level of the TOE, and 
retrieving a relevant class-tree structure from said database (page 395, CRAMM, Stage 2, 
wherein the second stage commences with the grouping of assets into suitable "asset 
groups" and analyzing the asset groups using a database of 17 generic threats and 
calculating the level of risks for each asset group); and 

generating, by the processor, a PP or ST draft of the TOE by integrally editing contents of 
a definition of the specified PPs or STs. 

wherein as to the generated PP/ST draft of the TOE, if the registered PPs or STs local PP 
matches PPs or STs retrieved from the database, the retrieved PPs or STs are used ((page 395, 
CRAMM stage 3, wherein countermeasures (controls) are entered into CRAMM software 
based on asset groups, risk levels, existing controls, it then compiles a list of recommended 
additional countermeasures, i.e. internally editing the contents of a definition of the 
specified PPs or STs, page 396, and mapping between the profile table entries and the 
standards file), 
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Baskerville is silent in disclosing that the PPs or Sts are generated and registered in a 
class-tree structure and if there are no match, high-order PPs or STs among the generated PPs or 
STs are retrieved based on an inheritance relation to thereby partially add and correct the 
PPs/STs. 

However, Schneier teaches (Fig. 5 and associated text) a computer implemented method 
and apparatus wherein security of system is represented in a class-tree structure (Abstract, see 
col. 5, lines 65-67, col. 6, lines 25-43, col. 11, lines 47-67). 

Schneier further teaches that once the user identifies the system to be analyzed (col. 11, 
lines 24-46) having established the tree structure, a tree analysis software (col. 12, lines 15) 
determines the value of a node and determines if the goal node value has been calculated. If not, 
the process retrieves another child node for processing and once the value of the goal node 
(higher order based on an inheritance relation) is calculated, the value is displayed on video 
display of the computer system. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to employ the teachings of Schneier' s tree structure database in the 
CRAMM 6 s risk analysis tools (disclosed in Baskerville) with motivation to provide quantitative 
capabilities in comparing different countermeasures (Schneier, col. 2, lines 45-63). 

As per claim 23, Baskerville as modified discloses the security system design supporting 
method according to claim 1, wherein if the high-order PP among the generated PPs is not 
successful to match, the generated PP draft is registered in a local PP/ST tree structured database 
(Fig. 5 and associated text, elements 520-560, where CPU executes tree software displaying 
leaf node requiring input and processing child nodes until goal node determined.) 
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The Examiner supplies the same rationale for the combination of Baskerville and 
Schneier provided in claim 1 . 

As per claim 28, Baskerville as modified teaches the security system design supporting 
method according to claim 1, further comprising the steps of: storing information newly added as 
the result of PP or ST generation in the process of PP or ST generation in accordance with the 
inheritance and correspondence in the template case database and the partial case database; and 
improving and expanding the information stored in the case database (Fig. 5 and associated 
text, elements 520-560, where CPU executes tree software displaying leaf node requiring 
input and processing child nodes until goal node determined. ) 

The Examiner supplies the same rationale for the combination of Baskerville and 
Schneier provided in claim 1. 

As per claim 29, Baskerville teaches the security system design supporting method 
according to claim 1, wherein the generated PP or ST can be evaluated in a PP or ST evaluation 
check list in the form of questions based on an international security evaluation method 
(Baskerville, page 395, CRAMM stage 2, page 396, table 8) 

5. Claim 24 is rejected under 35 U.S.C. 103(a) as being unpatentable over prior art of 
record, Richard Baskerville and Schneier as applied to claim 1, and further in view of US Patent 
No. 6,484,261 to Wiegel. 

As per claim 24, Baskerville and Schneier do not disclose but Weigel discloses the 
security system design supporting method according to claim 1, further comprising the steps of 
(Abstract, col. 13, lines 14-22): 
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indicating the PPs or STs stored in the template case database as icons by which the 
constituting elements, type and the evaluation assurance level can be identified (col. 14, lines 20- 
35); 

specifying the PPs or STs related to the TOE from the inheritance tree based on a 
reference PP or ST cases of the inheritance between the PPs or STs expressed in a tree (col. 14, 
lines 39-42); and 

producing a structure diagram of the TOE using the icons of said specified PPs or STs as 
constituting elements (col. 14, lines 43-52). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to employ the graphical network security policy management of Weigel in CRAMM's 
risks analysis tools with a motivation to construct a security policy that is easily understood by 
administrator (Weigel, col. 4, lines 24-30). 

Action is Final 

6. THIS ACTION IS FINAL. Applicant is reminded of the extension of time policy as set 
forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 
1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, 
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will the statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 

Conclusion 

7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Taghi T. Arani whose telephone number is (571) 272-3787. The 
examiner can normally be reached on 8:00-5:30 Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Taghi T. Arani, Ph.D. 
Examiner 
Art Unit 2131 
9/27/2005 
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